as mentioned on the cryptography list http://www.homeport.org/~adam/starttls.html
StartTLS for Opportunistic Email Encryption with Postfix Lots and lots of sites use StartTLS for encrypting local email, usually so that they can hide passwords when SMTP auth is used. But, StartTLS also gives you the ability to opportunisticly encrypt mail as it heads across the Internet. This document builds on Patrick Koetter's STMTP/StartTLS docs, and starts where they say "That's it. Your done. Have fun." Pre-conditions: Have postfix installed and running. Have StartTLS going when postfix is a server. Post-conditions: Postfix will act as a starttls client, encrypting mail when the other side speaks TLS. Now, this is really easy. Let me simply offer up the relevant bits of my postfix main.cf: smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtp_tls_key_file = /etc/postfix/certs/newreq.pem smtp_tls_cert_file = /etc/postfix/certs/newcert.pem smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache Now, the first two lines should be obvious. I'm not 100% clear on why we need them both, but we seem to. The second two are the same values as my smtpd_tls_key_file and smtpd_tls_cert_file. They're not in the same place as M. Koetter put them, but thats a trivial difference. I like the certs directory because it keeps things neat. If everything has worked as planned, your mail recieved headers will get better, looking something like this: Received: from Alice (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by Bob (Postfix) with ESMTP id CC7593008F for <[EMAIL PROTECTED]>; Wed, 2 Oct 2002 15:20:39 -0400 (EDT) If everything is not working as planned, turn up your log levels. Odds are good you're already trading mail with people using starttls. And that's it. You're done. Have fun. Why? Because some people want to read your email. Others don't. But it should be your choice. Adam Shostack Last modified: Mon Oct 28 19:50:10 EST 2002
